Personal details of 285 KrisFlyer members disclosed due to software bug: SIA

A Singapore Airlines plane (right)  at Changi Airport Terminal 2.
A Singapore Airlines plane (right) at Changi Airport Terminal 2.ST PHOTO: LIM YAOHUI

SINGAPORE - Personal details of over 280 KrisFlyer members may have been seen by other customers due to a software bug affecting Singapore Airlines’ (SIA) website on Friday (Jan 4).

“We have been made aware of a number of cases in which a customer logged in to his or her KrisFlyer account, under certain specific conditions, may have been able to see selective details of another customer,” an SIA spokesman said in response to queries.

These details may have included names, e-mail addresses, account numbers, membership tier statuses, KrisFlyer miles and rewards, travel history and in seven cases, passport details.

The spokesman added that the breach occurred when any two members log in to their KrisFlyer accounts and access transactions displaying their membership information at the same time, while also being assigned the same server by the system.

On Saturday, Facebook user Tricia Leo said in a post that when she logged into her KrisFlyer account, she realised that she could see another person’s e-mail address on her profile page.

“I tried a new login and I could see his entire history, upcoming trips, miles,” she wrote.

“If organisations that demand our personal data don’t guard our information properly, then they need to be called out on it.”

In a statement, SIA said that no changes were made to members’ accounts and no credit card details were disclosed.

Investigations based on system logs determined 285 cases in total, it added.

“We have established that this was a one-off software bug and was not the result of an external party’s breach of our systems or members’ accounts,” SIA said.

"The issue has been resolved and we will carry out a detailed review to ensure this will not happen again."

The software bug arose from a change to SIA’s website homepage on Friday, and the incident occurred between about 2am and 12.15pm.

 
 
 

SIA said that it is following up directly with affected customers, and has voluntarily informed the Personal Data Protection Commission (PDPC).

A PDPC spokesman confirmed that it had been notified of the incident, and added that the commission was looking into it.

“The protection of our customers’ personal data is of utmost importance to SIA, and we sincerely regret the incident,” SIA added.

This comes after a number of data leak incidents here last year.

The Straits Times reported in August that over 4,300 Shangri-La International Hotel Management rewards club members had details like names and e-mail addresses leaked, including "a small number" of Singapore customers.

In July, ST reported that some 3,000 RedMart customers were affected by a data breach that leaked their e-mail addresses and put them at risk of phishing. 

The same month, it was reported that Singapore suffered its worst cyber attack when hackers stole personal particulars of over 1.5 million patients from SingHealth.